Security Policy Deployment and Enforcement System for the Detection and Control of Polymorphic and Targeted Malware
First Claim
Patent Images
1. A method for providing security policies, the method comprising:
- receiving behavioral information about applications executing on user devices;
searching databases of known applications and utilizing crowdsourcing to identify the applications executing on the user devices;
determining trustworthiness for each of the identified applications based on the behavioral information received from each of the user devices; and
providing security policies for the applications to the user devices based on the determined trustworthiness.
2 Assignments
0 Petitions
Accused Products
Abstract
The present system and method pertain to the detection of malicious software and processes such as malware. A cloud security policy system receives hashes and behavioral information about applications and/or processes executing on user devices. The cloud security policy system records this information and then evaluates the trustworthiness of the hashes based on the information received from the user devices to provide a security policy for the applications and/or processes. The security policy is sent from the cloud security policy system to user devices to be applied by the user devices.
12 Citations
8 Claims
-
1. A method for providing security policies, the method comprising:
-
receiving behavioral information about applications executing on user devices; searching databases of known applications and utilizing crowdsourcing to identify the applications executing on the user devices; determining trustworthiness for each of the identified applications based on the behavioral information received from each of the user devices; and providing security policies for the applications to the user devices based on the determined trustworthiness.
-
-
2. A security policy system comprising:
-
a web services component of the security policy system that receives behavioral information about processes executing on user devices; an analysis engine of the security policy system that determines trustworthiness for each of the processes based on the behavioral information received from each of the user devices; and a policy engine of the security policy system that provides security policies for the processes to the user devices based on the determined trustworthiness.
-
-
3. A method for implementing security policies on user devices, the method comprising:
-
monitoring processes executing on user devices; searching for security policies associated with the processes; upon locating security policies, applying the security policies to the processes; upon failing to locate security policies on the user devices, sending requests to a security policy system; and upon receiving security policies from the security policy system, applying the security policies to the processes. - View Dependent Claims (4)
-
-
5. A method for monitoring applications on user devices, the method comprising:
-
monitoring applications requesting to open files using system dynamic-link libraries; searching for hashes corresponding to filenames of the files requested by the application in caches of the user devices; upon locating hashes of the user devices, searching for security policies associated with the hashes; and upon locating the security policies associated with the hashes, enforcing restrictions of the security policies.
-
-
6. A method for monitoring processes executing on user devices, the method comprising:
-
intercepting application program interface calls to monitor resource requests of executing processes; maintaining a log of the resource requests in a database if the processes are being monitored; applying security policies to the processes if the processes are controlled by security policies; and sending the log of resource requests to a security policy system.
-
-
7. A distributed security system for monitoring processes executing on user devices, the system comprising:
-
an application program interface detour that intercepts application program interface calls and monitors resource requests of executing processes; a reputation manager that applies security policies to the processes if the processes are controlled by the security policies;
a database of a user system that stores logs of resource requests if the processes are being monitored by the reputation manager; anda reputation database of a security policy system that stores logs of resource requests from multiple user devices.
-
-
8. A method for identifying polymorphic malware on user devices, the method comprising:
-
monitoring behaviors of applications executing on user devices to determine fingerprints of the applications; comparing the fingerprints of the applications to fingerprints of known malware; determining if any fingerprints of the application are similar to fingerprints of known malware; and applying security policies to the applications when the fingerprints of the application are similar to fingerprints of known malware.
-
Specification